Administrator should have the option of not using e-mail address to search and display registered users, hence keeping e-mail address private

[SergioArbarviro]

Problem description

Basically a repetition of previous issues (#6582, #14358, #14959), while the pull request that claims to solve them (#31623) actually does not.

This failure to solve the issues stems from the following request:
Could we prevent erroneously allowing displayname and email to be set to private in the logic? Unsupported as per

server/lib/private/Accounts/AccountManager.php

Lines 218 to 228 in 778db45

	if (
	$property->getScope() === self::SCOPE_PRIVATE
	&& in_array($property->getName(), [self::PROPERTY_DISPLAYNAME, self::PROPERTY_EMAIL])
	) {
	if ($throwOnData) {
	// v2-private is not available for these fields
	throw new InvalidArgumentException('scope');
	} else {
	// default to local
	$property->setScope(self::SCOPE_LOCAL);
	}

In these cases we should default to local scope

Originally posted by @Pytal in #31623 (comment)
, which completely destroys the very motivation for setting up the feature implemented by pull request #31623, namely to be able to set the visibility scope of the e-mail address to "private", as repeatedly described in many previous issues (#6582, #14358, #14959).
This motivation is very clear, and is rooted in European law (General Data Protection Regulation - GDPR) since 2016 at least: the e-mail address of the user should by default not be displayed, never.
There seems to be a group of people in the core team that seem to be totally deaf to this simple but extremely important concern.

My interpretation for this apparent deafness is that both "Display name " and "E-mail address" are currently used to search and display users for sharing files or folders, for inviting to "Calendar" events, for starting "Talk" conversations, for creating "Circles", etc. Actually, one of them, the "Display name" is sufficient for the purpose of contacting (for all the purposes described above) users registered on the NextCloud instance. "E-mail address" only makes sense to contact people that are not registered in the NC instance.

Solution propposed

In order to resolve the issue, I hence propose that the Administrator of NextCloud instance have the option that only the "Display name" be used for searching and displaying registered users of the instance.

Persons that are not registered users could still be invited (to a shared file or folder, to a calendar event, to a Talk chat, etc) via their e-mail address.

This would make the setting of the scope of "E-mail address" in the account_manager.default_property_scope variable of config.php to "Private" fully legitimate.

Alternatives sought

An alternative would be that the code for setting the scope of "E-mail address" and "Display name" to "Local" by default in https://github.com/nextcloud/server/blob/master/lib/private/Accounts/AccountManager.php (Lines LL 180 to 200) be changed so that:

• if "Display name" or "E-mail adress" are set at a value different from "Private", then no change is made to the scope;
• if "Display name" and "E-mail adress" are set at "Private", then "Display name" only is set to "Local" (while "E-mail address" remains "Private").

This option seems to be rejected by the core group of developers. I suspect that the reason is the one that I provide above, and I hence propose this way forward to address their concern about overall coherence of the core of NC.